Skip to content

Commit

Permalink
isolate pid and uts namespaces on ymp sandbox
Browse files Browse the repository at this point in the history
  • Loading branch information
sulincix committed Jun 12, 2024
1 parent f577877 commit 29e7005
Showing 1 changed file with 21 additions and 3 deletions.
24 changes: 21 additions & 3 deletions src/ccode/sandbox.c
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#include <unistd.h>
#include <signal.h>
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
Expand Down Expand Up @@ -77,7 +78,7 @@ int sandbox(char* type, char** args){
if(sandbox_shared == NULL){
sandbox_shared = "";
}
int flag = CLONE_NEWCGROUP | CLONE_NEWNS | CLONE_NEWUSER;
int flag = CLONE_NEWCGROUP | CLONE_NEWNS | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWUTS;
if(isfile("/.sandbox")){
return operation_main(type,args);
}
Expand All @@ -95,6 +96,14 @@ int sandbox(char* type, char** args){
uid_t uid = getuid();
gid_t gid = getgid();
unshare(flag);
int pid = fork();
if (pid != 0) {
int status;
waitpid(-1, &status, 0);
exit(status);
}
/* set new hostname */
sethostname("ymp-sandbox", 11);
/* remap uid */
write_to_file("/proc/self/uid_map", "%d %d 1", sandbox_uid, uid);
/* deny setgroups (see user_namespaces(7)) */
Expand All @@ -115,7 +124,13 @@ int sandbox(char* type, char** args){
sandbox_create_tmpfs("/tmp/ymp-root/tmp");
sandbox_create_tmpfs("/tmp/ymp-root/run");
sandbox_bind(get_builddir_priv());
sandbox_bind("/proc/");
/* isolate /proc */
create_dir("/tmp/ymp-root/proc/");
if (mount("proc", "/tmp/ymp-root/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL)) {
printf("Cannot mount proc! errno=%i\n", errno);
exit(1);
}

char *token = strtok(sandbox_shared,":");
while(token != NULL){
sandbox_bind_shared(token);
Expand All @@ -141,7 +156,7 @@ int sandbox(char* type, char** args){
}
unshare(CLONE_NEWIPC);
unshare(CLONE_VM);
unshare(CLONE_NEWPID| CLONE_VFORK | SIGCHLD);
unshare(CLONE_VFORK | SIGCHLD);
#if DEBUG
debug(str_add("Sandbox: execute ", type));
#endif
Expand All @@ -155,6 +170,9 @@ int sandbox(char* type, char** args){
new_args[cur] = args[cur];
cur++;
}
if(getenv("TERM") == NULL){
setenv("TERM", "linux", 1);
}
exit(operation_main(type,new_args));
/*exit(execvpe("/proc/self/exe",new_args,get_envs())); */
#if DEBUG
Expand Down

0 comments on commit 29e7005

Please sign in to comment.